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SECTION C 
Scope of Work/Statement of Task 


PART 1 
1.0 GENERAL INFORMATION 


1.1. Synopsis: This is a non-personal services contract to provide Defense Health Program 
(DHP) J-8 Readiness Analytic Support — Cost Modeling Support of Defense Heath Agency 
(DHA). 


1.2. Description of services/introduction: The contractor shall provide all; personnel, 
equipment, supplies, facilities, transportation, tools, materials, supervision, and other items and 
non-personal services necessary to perform. 


1.3. Background: This is a non-personal services contract to provide oversight support to the 
Office of the Defense Heath Agency to improve the effectiveness and efficiency of the Defense 
Health Program (DHP). 


1.4. Objectives: The contract seeks to provide better oversight cost and performance 
management; cost modeling services; pricing decisions; audit, accounting, and internal controls 
oversight; financial data and economic analyses using modeling and consulting services to 
improve evidentiary and data-driven policymaking for the DHP and Military Health System 
(MHS) strategies in order to assist DHA in the performance of responsibilities. The contract will 
develop metrics to measure the healthcare program’s performance against MHS operational and 
strategic goals. The contract will also provide analysis support to explain how the model works 
to relevant stakeholders. 


1.5. Scope: The contractor shall support DHA with cost and performance management services 
built around the guiding principles of applying relevant leading practices for decision support 
with data analysis and consulting services to evaluate effectiveness of DHP appropriations and 
MHS policies. This includes delivering early insights to provide initial cost transparency upfront, 
gaining buy-in for change, validating the approach, and prioritizing people, process, and 
technology changes that can be implemented strategically. This includes financial, audit, 
accounting, and data analytics support services centered on DHA governance priorities, to 
include (but not limited to) policy performance via a discrete modeling and interpretive analysis 
of policy measurements along with other DHA priority focus areas such as private sector care 
cost modeling and analysis. 


1.6. Administrative specifications 
1.6.1. Place of performance: The work shall be performed at both contractor facilities and 
Government facilities. Government facilities include the Defense Health Headquarters (DHHQ) 


in Falls Church, Virginia. 


1.6.2. Recognized Federal holidays: Contractor is not required to perform services on the 
following holidays: 
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New Year’s Day Labor Day 
Martin Luther King Jr.’s Birthday Columbus Day 
President’s Day Veteran’s Day 
Memorial Day Thanksgiving Day 
Juneteenth/Emancipation Day Christmas Day 
Independence Day 


1.6.3. Hours of operation: The contractor is responsible for conducting business Monday thru 
Friday except Federal holidays or when the Government facility is closed due to local or national 
emergencies, administrative closings, or similar Government directed facility closings. The 
contractor must at all times maintain an adequate workforce for the uninterrupted performance of 
all tasks defined within this PWS when the Government facility is not closed for the above 
reasons. 


1.6.4. Emergency Services: On occasion, services may be required to support an activation or 
exercise of contingency plans outside the normal duty hours. 


1.7. Quality 


1.7.1. Quality Control (QC): The contractor shall develop and maintain an effective QC 
program to ensure services are performed in accordance with this PWS. The contractor shall 
develop and implement procedures to identify, prevent, and ensure nonrecurrence of defective 
services. The contractor’s QC program is the means by which the work complies with stated 
requirements. The contractor shall prepare and adhere to a Quality Control Plan (QCP). The 
QCP will initially be submitted with the offeror’s quote and will be updated upon award. The 
QCP shall document how the contractor shall meet and comply with the quality standards 
established in this statement of work. At a minimum, the QCP must include a self-inspection 
plan, an internal staffing plan, and an outline of the procedures that the contractor shall use to 
maintain quality, timeliness, responsiveness, customer satisfaction, and any other requirements 
set forth in this solicitation. The updated QCP shall be delivered within 30 calendar days after 
contract award. Three (3) copies of the comprehensive written QCP shall be submitted to the KO 
and COR within 5 working days when changes are made thereafter. After acceptance of the 
Quality Control Plan (QCP) the contractor shall receive the CO’s acceptance in writing of any 
proposed change to his QC system. See Part 7, Technical Exhibit 1. 


1.7.2. Quality Assurance (QA): The Government will evaluate the contractor’s performance 
under this contract in accordance with the Quality Assurance Surveillance Plan (QASP). This 
plan provides a systematic method for the Government to evaluate performance and to ensure 
that the contractor has performed in accordance with the performance standards. It defines how 
the performance standards will be applied, the frequency of surveillance, and the minimum 
acceptable defect rate(s). 
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1.8. Contractor personnel 


1.8.1. CAC requirements: For all contractors who will work in Government facilities, the 
Facilities Security Officer (FSO)/Company's Security point of contact (POC) will provide the 
Government all the required information per the DHA CAC request process current version 2.1, 
January 2018, or more recent when updated. See process attached at Part 7 Section 7.1.1 of the 
PWS. A CAC is the standard identification for eligible DoD contractor personnel. 


1.8.1.1. The contractor shall return all CACs to the COR upon the departure of the contractor(s). 


1.8.2. Contractor onboarding and training. The contractor shall complete all requirements, 
training, and forms as prescribed in the following requirements: 


1.8.2.1. The DHA’s “Onboarding Checklist for Contractor Employees” is located at the DHA 
Onboarding and Offboarding Portal at:_ 
https://info.health.mil/cos/admin/hr/IO/SitePages/Home.aspx 


1.8.2.2. The DHA’s contractor training instructions embedded at Part 7 Section 7.1.2. 


1.8.2.3. The contractor shall comply with onboarding requirements of the DHA for contractors 
needing to be issued CAC identification, including DoD- and DHA-directed training and forms 
submission, prior to network access, as displayed in the In/Out-Processing Portal at:_ 
https://info.health.mil/cos/admin/hr/IO/SitePages/home.aspx (note: Public Key Infrastructure 
(PKI)-restricted, printed versions available). 


1.8.2.4. The assigned COR will facilitate and assist as necessary to complete DHA onboarding 
requirements. 


1.8.3. Physical Security: The contractor shall be responsible for safeguarding all Government 
equipment, information and property provided for contractor use. At the close of each work 
period, Government facilities, equipment, and materials shall be secured. 


1.9. Data rights: The Government has unlimited rights to all documents/material produced 
under this contract. All documents and materials, to include the source codes of any software, 
produced under this contract shall be Government owned and are the property of the Government 
with all rights and privileges of ownership/copyright belonging exclusively to the Government. 
These documents and materials may not be used or sold by the contractor without written 
permission from the Contracting Officer. All materials supplied to the Government shall be the 
sole property of the Government and may not be used for any other purpose. This right does not 
abrogate any other Government rights. 


1.10. Reporting 
1.10.1. Non-Disclosure Agreement (NDA): All contractor personnel who will obtain access to 


proprietary, classified, or confidential information or any information release of which is 
protected or governed by law or regulation associated with DHA acquisitions shall be required to 
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complete and sign a DHA contractor NDA (DHA Form 49) prior to beginning work on the 
subject contract. The contractor shall execute an NDA on behalf of the company and shall ensure 
that all staff assigned to, including all subcontractors and consultants, or other personnel 
performing on contract/Task order execute an NDA protecting the procurement sensitive 
information of the Government and the proprietary information of other contractors. The NDA 
shall be executed not later than first day of employment and to be renewed upon exercising a 
contract option period. Assignment of staff who has not executed this statement or failure to 
adhere to this statement shall constitute default on the part of the contractor. The contractor shall 
maintain originally signed NDAs of individual employees and provide copy to the COR. 


1.10.2. Government’s COR: The COR monitors all technical aspects of the contract and assists 
in contract administration. The COR is authorized to perform the following functions: assure that 
the contractor performs the technical requirements of the contract; perform inspections necessary 
in connection with contract performance; maintain written and oral communications with the 
contractor concerning technical aspects of the contract; issue written interpretations of technical 
requirements, including Government drawings, designs, specifications; monitor contractor's 
performance and notifies both the CO and contractor of any deficiencies; coordinate availability 
of Government furnished property; and provide site entry of contractor personnel. A letter of 
designation issued to the COR, a copy of which is sent to the contractor, states the 
responsibilities and limitations of the COR, especially with regard to changes in cost or price, 
estimates or changes in delivery dates. The COR is not authorized to change any of the terms and 
conditions of the resulting contract. The Alternate COR (ACOR) can perform the COR duties 
then the COR is not available to perform the COR duties. 


1.11. Contractor Identification 


1.11.1. Contractor personnel performing services in a contractor capacity in a Government 
facility are required to possess and wear an identification badge that displays his or her nameand 
the name of their company. All contractor personnel shall identify themselves as contractor 
support personnel in all forms of communication with all entities with whom DHA/Deputy 
Assistant Director for Acquisition (DAD-A)/Head of the Contracting Activity (HCA) has 
business dealings. The contractor shall: answer all telephone calls and have a personalized voice 
message with an introductory statement that includes the fact that the person is contractor 
support personnel. Ensure all those with whom the person interacts in any face-to-face dealings 
while supporting the DAD-A understands that the person is contractor support personnel. Include 
a title block in all emails that states the fact that the person is contractor support personnel. 
Ensure all those with whom the person interacts in any face-to-face dealings while supporting 
DHA/DAD-A/HCA understands that the person is contractor support personnel. 


1.11.2. Contractor personnel will be required to attend meetings or otherwise communicate with 
Government and/or other contract representatives to meet the requirements of this order. 
Contractor personnel shall make their contractor status known during introductions. 


1.11.3. Contractor personnel, while performing in a contractor capacity, are prohibited from 
using their retired or reserve component military rank or title in any written or verbal 
communications associated with the contracts in which they provide services. 
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1.12. Personnel Security 


1.12.1. The contractor shall comply with DoD 8570.01-M, “Information Assurance Workforce 
Improvement Program, CH4” November 10, 2015 as amended; 8500.01, “Cybersecurity”, dated 
March 14, 2014; DoD Manual (DoDM) 6025.18, “Implementation of the Health Insurance 
Portability and Accountability Act (HIPAA) Privacy Rule Compliance in DoD Health Care 
Programs” dated March 3, 2019, Department of Defense Instruction (DoDI) 6025.18 “HIPAA 
Privacy Rule Compliance in DoD Health Care Programs”, dated March 13, 2019; and DoDM 
5200.02 “Procedures for the DoD Personnel Security Program (PSP),” incorporation change 3, 
effective September 24, 2020. Contractor responsibilities for ensuring personnel security include, 
but are not limited to, meeting the following requirements: 


1.12.1.1. Follow the DHA Personnel Security Office guidelines for submittal of security 
clearances. Contact the DHA Personnel Security Office for guidance on the appropriate 
background investigation required for personnel on the contract. The DHA Personnel Security 
Office can be reached at (703) 275-6038. The Contracting Officer Representative will facilitate 
this process. 


1.12.1.2. Initiate, maintain, and document personnel security investigations appropriate to the 
individual’s responsibilities and required access to Controlled Unclassified Information (CUI). 


1.12.1.3. DHA Personnel Security Office does not deny any access to any Automated 
Information System (AIS), network, or CUI. If a contractor receives an unfavorable background 
investigation, the request for access will be sent back to the FSO for further action. Any 
unfavorable adjudication will result in DHA Personnel Security Office not signing off on any 
access request. 
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PART 2 
2.0 DEFINITIONS, ACRONYMS, AND APPLICABLE 
PUBLICATIONS/INSTRUCTIONS 
2.1. Definitions: 


2.1.1. Category D: Information Technology (IT) and Telecommunications Services (called D- 
Services) 


2.1.2. Category R: Support (Professional/Administrative/Management) Services (called R- 
Services) 


2.1.3. Contracting Officer (CO): A person with the authority to enter into, administer, and/or 
terminate contracts and make related determinations and findings. 


2.1.4. Contracting Officer’s Representative (COR): An individual, including a contracting 
officer’s technical representative (COTR), designated and authorized in writing by the CO to 
perform specific technical or administrative functions. This individual does NOT have authority 
to change the terms and conditions of the contract. 


2.1.5. Nonpersonal services contract: a contract under which the personnel rendering the 
services are not subject, either by the contract’s terms or by the manner of its administration, to 
the supervision and control usually prevailing in relationships between the Government and its 
employees. 


2.1.6. Quality Assurance Surveillance Plan (QASP): An organized written document 
specifying the surveillance methodology to be used for surveillance of contractor performance. 
The Government may either prepare the QASP or require the offerors to submit a proposed 
quality assurance surveillance plan for the Government’s consideration in development of the 
Government’s plan. 


2.2. Applicable Publications, DHA Administrative Instructions (AJ), etc. 


o Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) 
© Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 
and 164) 

© Standards for Electronic Transactions (45CFR Parts 160 and 162) 

- Standard Unique Health Identifier for Health Care Providers (45 CFR Part 162) 

o DoD Regulation 6025.18R, DoD Health Information Privacy Regulation 

o Freedom of Information Act of 1966, as amended (5 U.S.C. § 552) 

o Public Law 93-579: Privacy Act of December 31, 1974 

o DoDD 8500.01E Information Assurance 

Cc Privacy Act Program Requirements (DoD 5400.11) 

o Personnel Security Program Requirements (52007.2) 
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PART 3 
3.0. GOVERNMENT FURNISHED PROPERTY, EQUIPMENT, AND SERVICES 


3.1. Services: The Government: 


Will NOT provide Government Furnished Services in support of this contract/task order. As a 
result, this paragraph is Not Applicable. 


O WILL provide Government Furnished Services required in support of this contract/task 
orders. 


3.2. Facilities: The Government: 


O Will NOT provide Facilities in support of this contract/task order. As a result, this paragraph 
is Not Applicable. 


WILL provide Facilities in support of this contract/task orders. The Government provided 
Facilities are described below: 


The Government will provide the necessary workspace for the contractor staff to provide the 
support outlined in the PWS to include desk space, telephones, computers, and other items 
necessary to maintain an office environment. If there is not workspace available for the 
contractor staff, remote work and telework will be implemented. 


3.3. Utilities: The Government: 


O Will NOT provide Utilities in support of this contract/task order. As a result, this paragraph is 
Not Applicable. 


WILL provide Utilities in support of this contract/task orders. The Government provided 
Utilities are described below: 


All utilities in Government facilities which will be available for the contractor’s use in 
performance of tasks outlined in this PWS. The contractor shall instruct employees in utilities 
conservation practices. The contractor shall be responsible for operating under conditions that 
preclude the waste of utilities. 


3.4. Equipment: The Government: 


O Will NOT provide Equipment in support of this contract/task order. As a result, this paragraph 
is Not Applicable. 

WILL provide Equipment in support of this contract/task orders. The Government provided 
Equipment at the Government Facility is described below: 


DHA Readiness Analytic Support — Cost Modeling 
HT9402-23-C-0010 Section C 


The Government will provide telephones, copiers, and computer equipment to include laptops 
for use in performance under this contract/task order. This equipment is authorized for 
transaction of official Government business only and shall not be used for personal business. 
Personal long-distance calls are not authorized, and the cost of all personal long-distance calls 
made by contractor or subcontractor employees may be deducted from the contractor/s invoice 
payments. Telephones, facsimile machines, and computer equipment to include laptops are 
subject to communications security monitoring at all times. Contractor and subcontract 
employees may be issued keys signed for at scheduled and unscheduled key control inspections. 
The contractor shall be required to reimburse the Government for lost keys, or lockset (if lockset 
is required to be replaced) as a result of lost keys. The cost of replacement of keys/locksets may 
be deducted from payments to the contractor. Items issued will remain the property of the 
Government and the contractor will maintain proper accountability of issued equipment. 
Equipment shall not be removed from the facilities shown in paragraph 3.2 above, unless 
otherwise specified in the PWS. They are to be used, turned in and/or disposed of as directed by 
the COR or CO. 


3.4.1. Procurement Integrated Enterprise (PIEE), GFP Module Application 


The contractor shall be responsible for obtaining and maintaining access, training, and successful 
operation of the PIEE/GFP Module application for the entirety of the contract/task order Period 
of Performance (PoP). The PIEE GFP Module application is located at the following website: 
https://wawf.eb.mil/piee- landing/. Access to PIEE/GFP Module application training materials 
and in-depth information applicable to the contractor’s responsibilities regarding GFP can be 
found at the following website: https://dodprocurementtoolbox.com/. 


Contracting Office Responsibilities: 
The Contracting Office shall ensure close coordination and validation of the GFP items with the 


COR and DHA Accountable Property Officer prior to uploading the GFP Attachment into the 
PIEE/GFP Module. At the time GFP is anticipated and identified, the Government will upload 
the GFP Attachment into the PIEE/GFP Module. It is the Contracting Office’s responsibility to 
prepare, upload and maintain the GFP Attachment in the PIEE/GFP Module in accordance with 
the GFP Attachment instructions provided at the DoD Procurement Toolbox. The CO and COR 
shall manage and keep an inventory of any GFP associated with contract/task orders awarded 
through DHA, in accordance with applicable FAR Part 45, DoD FAR Supplement (DFARS) 245 
with respective clauses, DHA AI 095 and PD 45-01 following the change in disposition of items 
listed on that PIEE/GFP Module Attachment. 


The contracting office will also review, acknowledge, reject and/or approve shipment orders 
provided by the contractor as appropriate. Functional roles can be determined within the 
Contracting Office and requested within the PIEE/GFP Module system. 


Contractor Responsibilities: 
A key contractor responsibility is to work with the CO and COR to ensure the PIEE/GFP Module 


data, to include the PIEE/GFP Attachment, provides a timely, complete, and accurate accounting 
of the GFP applicable to the contract/task order. Contractors are required to report the receipt of 
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any GFP shipped to them, regardless of whether it is listed on the GFP Attachment for their 
contract. Similarly, contractors are required to utilize the GFP Module application in 
conjunction with the shipment of GFP to the Government, or in reporting Property Loss of GFP 
issued (such as destruction or loss). Discrepancies or disputes regarding property shipped to or 
shipped from the contractor must be reported via the GFP Module application, with the CO 
having authority over final designation of status. 


3.5. Materials: The Government: 


Will NOT provide Materials in support of this contract/task order. As a result, this paragraph 
is Not Applicable. 


O IS providing Materials in support of this contract/task orders. The Government-provided 
Materials are described below: N/A 
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PART 4 
4.0 CONTRACTOR FURNISHED ITEMS AND SERVICES 


4.1. Services: The Contractor: 


xX Will NOT provide Contractor Furnished Services in support of this contract/task order. As a 
result, this paragraph is Not Applicable. 


WILL provide Contractor Furnished Services required in support of this contract/task orders. 
These Services are described below: provide 


4.2. General: The contractor shall furnish all supplies, equipment, facilities, and services 
required to perform work listed under Section 5 of this PWS. 


4.3. Materials: Not Applicable. 

4.4. Equipment: Not Applicable. 

4.5. Facilities: The Government will provide the necessary workspace for the contractor staff to 
provide the support outlined in the PWS to include desk space, telephones, computers, and other 


items necessary to maintain an office environment. If there is not workspace available for the 
contractor staff, remote work and telework will be implemented. 
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PART 5 
5.0 SPECIFIC TASKS 


5.1 BASE TASK: The Contractor shall provide sufficient management to ensure that these 
tasks are performed efficiently, accurately, on time, and in compliance with the requirements of 
this document. The Contractor shall ensure that a Monthly Progress Report is submitted 
outlining the completed tasks and actions, upcoming tasks and actions, and any problems/ issues 
encountered in the performance of this these tasks and actions. 


5.1.1 Monthly Progress Report (MPR) (M0001) 


The MPR shall include the completed tasks and actions, upcoming tasks and actions, and any 
problems/ issues encountered in the performance of that reporting month. The MPR is due to the 
Government within 45 days of contract award and monthly, NLT 15th of following month. 


5.1.2 Outgoing Transition Plan (OT0002) 


In accordance with the solicitation, the Contractor shall provide a plan (OT0002) for 30 days of 
outgoing transition for transitioning work from an active task order to a follow-on contract/order 
or Government entity. This transition may be to a Government entity, another Contractor or to 
the incumbent Contractor under a new contract/order. In accordance with the Government- 
approved plan, the Contractor shall assist the Government in planning and implementing a 
complete transition from this Contract and/or orders issued under this Contract to a successful 
provider. This shall include formal coordination with Government staff and successor staff and 
management. It shall also include delivery of copies of existing policies and procedures, and 
delivery of required metrics and statistics. This transition plan shall include but is not limited to: 


e Coordination with Government representatives 

e Review, evaluation, and transition of current support services 

e Transition of historic data to new Contractor system 

e Transfer of all necessary business and/or technical documentation 

e Orientation phase and program to introduce Government personnel, programs, and users 
to the Contractor's team, tools, methodologies, and business processes 

e Disposition of Contractor purchased Government owned assets, including facilities, 
equipment, furniture, phone lines, computer equipment, etc. 

e Transfer of Government Furnished Equipment (GFE) and Government Furnished 
Information (GFI), and GFE inventory management assistance 

e Applicable DHA debriefing and personnel out-processing procedures 

e Turn-in of all Government keys, ID/access cards, and security codes. 


5.1.3. Program Management Plan (OT0003) 
The Contractor shall develop a Program Management Plan (PMP). The PMP shall consist of 


control procedures in accordance with standard industry practices for project administration, 
execution, and tracking. 
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The PMP shall include the following: detailed plan describing the Contractor’s overall 
management approaches, policies, and procedures including suggested project metrics along with 
a detailed staffing plan. 


5.1.4. Quality Control Plan (OT0004) 


The Contractor shall prepare and adhere to a Quality Control Plan (QCP). The QCP will initially 
be submitted within 30 calendar days after contract award. The QCP shall document how the 
Contractor will meet and comply with the quality standards established in this statement of work. 
At a minimum, the QCP must include a self-inspection plan, an internal staffing plan, and an 
outline of the procedures that the Contractor will use to maintain quality, timeliness, 
responsiveness, customer satisfaction, and any other requirements set forth in this solicitation. 


5.1.5. Contingency Operations Plan (Q0005) 


The Contractor shall develop and submit a Contingency Operations Plan (COP) to the 
Government. The COP shall be due 30 calendar days after the contract award and will be 
updated on a quarterly basis. The COP shall document Contractor plans and procedures to 
maintain DHA support during an emergency. The COP shall include the following: 


e A description of the Contractor’s emergency management procedures and policy 

e A description of how the Contractor will account for their employees during an 
emergency 

e How the Contractor will communicate with DHA during emergencies 


5.1.6. Operations During Emergency Situations 


Contingency Operations Plan shall be activated immediately after determining that an emergency 
has occurred, shall be operational within twelve (12) hours of activation, and shall be sustainable 
until the emergency is resolved, and normal conditions are restored, or the contract is terminated, 
whichever comes first. In case of a life-threatening emergency, the COR shall immediately 
contact the Contractor Program Manager to ascertain the status of any Contractor personnel who 
were located in Government controlled space affected by the emergency. When any disruption of 
normal, daily operations occurs, the Contractor Program Manager shall promptly open an 
effective means of communication and verify: 


e Key points of contact (Government and Contractor) 

e Temporary work locations (alternate office spaces, telework, virtual offices, etc.) 

e Means of communication available under the circumstances (e.g., email, webmail, 
telephone, FAX, courier, etc.) 

e Essential work products expected to continue production by priority 


The Program Manager, in coordination with the COR, must make use of the resources and tools 
available to continue DHA contracted functions to the maximum extent possible under 
emergency circumstances. The Contractor must obtain approval from the COR and Contracting 
Officer prior to incurring costs over and above those allowed for under the terms of this contract. 
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Regardless of contract type, and of work location, Contractors performing work in support of 
authorized tasks within the scope of their contract shall charge those hours accurately in 
accordance with the terms of this contract. 


5.1.7. Project Management 


The contractor shall provide support to assist the Government in designing and implementing 
disciplined, comprehensive, and flexible portfolio, program, and project management processes. 
This includes but may not be limited to; task management, ongoing status reporting, risk/issue 
management, resource management, operations and quality, and financial management as well as 
the execution of ad-hoc requests. Status reporting should highlight accomplishments, priorities, 
and risks/issues. As part of program management, meeting facilitation support may be required 
by the contractor across various working groups or committees. 


The contractor shall provide business process improvement support that provides best business 
practices that support and enhance the overall mission capabilities, to include an integrated 
approach to business process improvement, and a standardization assessment. 


5.1.8 Workforce Requirements 


Building an integrated and unified tool that can be used to inform military health scenario 
planning (e.g., annual planning and budgeting process, long-term strategic planning) and answer 
strategic questions (e.g., cost, readiness, and delivery impact services configuration changes 
including workforce allocation planning, services offered, and population served). 


Resource management performance 

The contractor shall provide support and services as they relate to the DHA decision making 
system for headquarters, markets and facility level in its pursuit of performance excellence. 
Strategies and decision-making system could include but not limited to, utilizing data most 
effectively, ensuring the fidelity of data (e.g., quality, redundancy, access), and aligning to shared 
resources and tools across the Military Healthcare System (MHS). Contracts will support and build 
on platform investments made to date (e.g., OSD, Services, beneficiaries, and facilities), and create 
actions—all with the purpose of advancing health and delivering on DHA’s readiness and benefit 
delivery missions. These strategies may apply industry best practices to the DHA’s specific mission 
and business context. 


5.1.9 Strategic Communications 


The contractor shall provide broad-based communications and change management support 
services impacting MHS governance, congressional inquiry, COVID-19 initiatives and 
monitoring, and workforce optimization. Strategic communication efforts enable DHA to 
achieve the following goals: 
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e Provide an integrated and coordinated approach to execute critical governance and 
support initiatives 

e Develop and maintain open communication across the MHS to build and maintain 
awareness and support 

e Assist the MHS in anticipating large-scale organizational changes including the NDAA 
reorganization and transition, adoption of policies, and financial statement audit 
sustainment efforts 

e Develop communication and change management strategies to improve existing 
coordination and collaboration within the MHS and across other stakeholders 


5.2 TASK 1A: Performance Improvement Infrastructure 

Recommending management processes that would allow for cost and quality performance in key 
categories that are directly controlled or influenced by DHA. By adopting a bold approach (e.g., 
comprehensive transformation), DHA, could be well positioned to create a best-in-class 
performance improvement infrastructure that allows it to leverage economies of scale and skills. 


5.3 TASK 2B/2C: Define/Deliver on DHA’s strategy for DirectCare delivery (HR Operating Model) 


The contractor shall support DHA with human capital management services built around the 
guiding principles of applying relevant leading practices for human capital strategy for the 
Defense Health Program. Strategies and decision-making system could include but not limited 
to utilizing data most effectively, ensuring the fidelity of data (e.g., quality, redundancy, access), 
and aligning to shared resources and tools across the Military Healthcare System (MHS). 
Contractor will support and build on platform investments made to date (e.g., OSD, Military 
Services, beneficiaries, and facilities), and create actions with the purpose of advancing health 
and delivering on DHA readiness and benefit delivery missions. 


This includes: 


5.3.1 Support the assessment and implementation planning of an organizational and operating 
model. The human capital operating model shall outline the business, organization structure 
and/or governance metrics of the MHS, and support DHA leadership in providing direction, 
policy, infrastructure, decision governance, and performance measurements. 


5.3.2 Support with oversight of the MHS’ internal controls over human capital processes 
The following are potential areas of support: 


5.3.3 Providing perspective on current or trending DHA performance in line with healthcare 
industry trends to assess opportunities, issues, risks, and performance trajectory. 


5.3.4 Assisting DHA to prioritize and revise its human capital strategy to ensure it enables the 
most effective and innovative human capital operating model across sources to generate 
insights, tools reports, and performance management dashboards and system tools to 
improve and monitor programs efforts (e.g., readiness, care quality and effectiveness, 
access, human capital management, research, public health preparedness, acquisition 
cost, etc.). 


5.3.5 Supporting the delivery of enterprise-wide human capital management to further 
improve transparency, enhance decision making with information across sources (e.g., 
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MHS GENESIS, MEPRS, DMHRSi), improve execution speed, and support analytical 
capabilities. 

5.3.6 Providing services and improve governance across DHA to develop a faster, more 
effective decision-oriented human capital organization and operating model. Activities 
may include evaluating the current governance model and developing the future state 
model; designing or updating governance roles, responsibilities, processes, value, and 
program management structures, including cross-program and cross-organizational 
structures. 


5.3.7 Development of human capital operating model and plans for scaling across enterprise. 
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PART 6 
6.0 INFORMATION TECHNOLOGY & SECURITY 


6.1. All work under this contract is classified. The security requirements are in accordance with the 
DD Form 254 attached to the contract. 


6.2. The TIER I or TIER II levels and position sensitivity designation for positions under this 
contract is: TIER I 


6.2.1. TIER II: Non-critical sensitive position 


6.3. Personally Identifiable Information (PI)/Protected Health Information (PHI), Procurement, and 
Federal information requirements: Refer to Clause Section for DHA Procedures, Guidance, and 
Information 224.90 if applicable.) This can be found at https://www.health.mil/Reference- 


Center/Policies/2020/10/27/PGI-224190-PI-PHI-and-Federal-Information-Requirements 


6.3.1. Data Sharing Agreements (DSAs): Contractors requiring access to PII, which includes 

PHI, or access to de-identified data, are subject to the DHA Privacy and Civil Liberties Office 
(DPCLO) (Privacy Office) Data Sharing Program. This program requires DHA to enter into 
DSAs with parties outside the MHS who use or create MHS data. A DHA contract may use the 
term Data Use Agreement (DUA) rather than DSA. DSAs assure that outside parties protect 
MHS data in accordance with the Privacy Act and the HIPAA Rules. To apply for a DSA, the 
contractor submits a Data Sharing Agreement Application (DSAA) to the DHA DPCLO. The 
contractor submits the DSAA even if a subcontractor will be the party accessing MHS data. 
After review and approval of the DSAA, the Privacy Office provides a DSA to the contractor for 
execution. 


6.3.2. Processing Procurement Sensitive Information: All individuals shall seek guidance from 
the CO regarding the coordination of documents, dissemination, and transmission of 
procurement sensitive information. Procurement sensitive information shall not be transmitted 
electronically unless encryption is utilized. Depending on a particular procurement, other 
restrictions may apply. 


6.4. Training 


6.4.1. Contractor employees performing cybersecurity/cyberspace functions shall comply with 
the following requirements: 


6.4.1.1. Training: All contractor and associated subcontractor employees working Cybersecurity 
Information Assurance (IA)/Cyberspace functions must comply with DoD training requirements 
in Department of Defense Directive (DoDD) 8140.01 and DoD 8570.01-M. Contractors shall; 
identify, document, track, and report qualifications of contract support personnel who perform 
cyberspace work roles. 


6.4.1.2. Certification: The contractor shall ensure that personnel accessing IS have the proper and 
current IA certification to perform IA functions at contract award in accordance with DoD 
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8570.01—M, IA Workforce Improvement Program. The contractor shall meet the applicable IA 
certification requirements as outlined in DFARS 252.239-2001, including: 


6.4.1.2.1. DoD-approved IA workforce certifications appropriate for each category and level as 
listed in the current version of DoD 8570.01—M; and 


6.4.1.2.2. Appropriate operating system certification for IA technical positions as required by 
DoD 8570.01—M. 


6.4.1.2.2.1. Upon request by the Government, the contractor shall provide documentation 
supporting the IA certification status of personnel performing IA functions. 


6.4.1.2.2.2. Contractor personnel who do not have proper and current certifications shall be 
denied access to DoD IS for the purpose of performing IA functions. 


6.4.2. User requirements: All contractor employees that require access to DHA IT must comply 
with the requirements of DHA-Procedural Instruction 8140.01, Acceptable Use of DHA IT, to 
include those contract employees with privileged access. 
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Deliverable 


M0001 Monthly 
Progress Report 


OT0002 Outgoing 
Transition Plan 
(ONE TIME) 


PART 7 
7.0 ATTACHMENTS/TECHNICAL EXHIBIT LISTING 


Frequency 
Monthly — NLT 
15th of following 
month 
NLT than 30 
calendar days 
before the end of 
the last period of 
performance 


Medium/Format 
One (1) original in 
electronic copy 
using MS Office 
One (1) original in 
electronic copy 
using MS Office 


Submit To 
Submit through the 
DHA e-Commerce 
Extranet. 

Submit through the 
DHA e-Commerce 
Extranet. 


OT0003 Program 
Management Plan 
(ONE TIME) 


OT0004 
Quality Control 
Plan 

(ONE TIME) 
Q0005 
Contingency 
Operations Plan 


NLT than 30 
calendar days 
after contract 
award date 


NLT than 30 
calendar days 
after contract 
award date 

NLT 30 calendar 
days after 
contract award 
date and updated 
Quarterly 


One (1) original in 
electronic copy 
using MS Office 


One (1) original in 
electronic copy 
using MS Office 


One (1) original in 
electronic copy 
using MS Office 


Submit through the 
DHA e-Commerce 
Extranet. 


Submit through the 
DHA e-Commerce 
Extranet. 


Submit through the 
DHA e-Commerce 
Extranet. 


7.1. The following forms are to be completed by the FSO/Security POC or COR once the 
contractor is granted the proper background investigation. 


7.1.1. The Contracting Officer Representative will facilitate onboarding and providing 
documentation and direction to complete the following: 


7.1.2. Contractor CAC Request Process: 
7.1.3. DHA’s contractor training instructions. 


7.1.4. DHA’s new employee handbook 
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SECTION D — Packaging and Marking 


D.1. Labeling. The Contractor shall include the contract number on all documents to be 
furnished under the contract. 


D.2. Inclusions. Each package, report or other deliverable shall be accompanied by a letter or 
other document which includes the following identification. 


1. Contract Number. Identifies the contract by number under which the item is being 
delivered. 

2. Partial or Full Satisfaction. Indicates whether the Contractor considers the delivered items 
represent partial or full satisfaction of the requirement. 


(End of Section D) 
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SECTION E - Inspection and Acceptance 


E.1. Clauses. 
FAR 52.246-4 Inspection of Services--Fixed-Price (AUG 1996) 


E.2. Acceptance. Acceptance or rejection of services will be accomplished by the Contracting 
Officer, or Contracting Officer’s Representative electronically through the process described in 
Section G. 

(End of Section E) 
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SECTION F - Deliveries or Performance 
F.1. Period of Performance. 


BASE PERIOD 


September 30, 2023 to September 29, 2024 
The Period of Performance shall be 12 months. 
F.2. REPORTS AND PLANS 


F.2.1. Unless otherwise specified, the contractor shall electronically submit all Contract Data 
Requirements List items (CDRL) (contract plans, reports, etc.) in the specified format using 
Microsoft Office Excel, Word, PDF, or other specified software. If no format is specified, the 
contractor may use its own format. The Defense Health Agency (DHA) E-Commerce Extranet 
application facilitates the submission and tracking of contract deliverables. The contractor shall 
submit all required deliverables to the DHA via the E-Commerce Extranet unless otherwise 
directed by DD Form 1423, CDRL, located in Section F of the applicable contract. The contractor 
shall provide all reports and plans that are specified in this Section. The contractor is accountable 
for assuring that reports contain accurate and complete data. The contractor shall prepare written 
procedures describing the source of information as well as the specific steps followed in the 
collection and preparation of data for each report. All reports must be supported with sufficient 
documentation and audit trails. The reports shall be titled as listed. The contractor shall submit a 
negative report if there is no data to report. 


Required reports include: 


F2.1.1. CDRL Reports Summary: 


M0001 Monthly Progress Report (MPR) 
OT0002 Outgoing Transition Plan 
OT0003 Program Management Plan 
OT0004 Quality Control Plan 
Q0005 Contingency Operations Plan 
(End of Section F) 
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SECTION G — Contract Administration 
G.1. Clauses. 


DFARS 252.204-7006 Billing Instructions (MAY 2023) 
DFARS 252.232-7006 WIDE AREA WORKFLOW PAYMENT INSTRUCTIONS (JAN 2023) 
(a) Definitions. As used in this clause— 


“Department of Defense Activity Address Code (DoDAAC)” is a six position code that uniquely 
identifies a unit, activity, or organization. 


“Document type” means the type of payment request or receiving report available for creation in 
Wide Area WorkFlow (WAWF). 


“Local processing office (LPO)” is the office responsible for payment certification when 
payment certification is done external to the entitlement system. 


“Payment request” and “receiving report” are defined in the clause at 252.232-7003 , Electronic 
Submission of Payment Requests and Receiving Reports. 


(b) Electronic invoicing. The WAWFE system provides the method to electronically process 
vendor payment requests and receiving reports, as authorized by Defense Federal Acquisition 
Regulation Supplement (DFARS) 252.232-7003 , Electronic Submission of Payment Requests 
and Receiving Reports. 


(c) WAWF access. To access WAWF, the Contractor shall— 


(1) Have a designated electronic business point of contact in the System for Award Management 
at https://www.sam.gov; and 


(2) Be registered to use WAWE at https://wawf.eb.mil/ following the step-by-step procedures for 
self-registration available at this web site. 


(d) WAWF training. The Contractor should follow the training instructions of the WAWF Web- 
Based Training Course and use the Practice Training Site before submitting payment requests 
through WAWFE. Both can be accessed by selecting the “Web Based Training” link on the 
WAWE home page at https://wawf.eb.mil/ 


(e) WAWF methods of document submission. Document submissions may be via web entry, 
Electronic Data Interchange, or File Transfer Protocol. 


(f) WAWF payment instructions. The Contractor shall use the following information when 
submitting payment requests and receiving reports in WAWF for this contract or task or delivery 
order: 


(1) Document type. The Contractor shall submit payment requests using the following document 
type(s): 


(i) For cost-type line items, including labor-hour or time-and-materials, submit a cost voucher. 
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(ii) For fixed price line items— 


(A) That require shipment of a deliverable, submit the invoice and receiving report specified by 
the Contracting Officer. 


(Contracting Officer: Insert applicable invoice and receiving report document type(s) for fixed 
price line items that require shipment of a deliverable.) 


(B) For services that do not require shipment of a deliverable, submit either the Invoice 2in1, 
which meets the requirements for the invoice and receiving report, or the applicable invoice and 
receiving report, as specified by the Contracting Officer. 


(Contracting Officer: Insert either “Invoice 2in1” or the applicable invoice and receiving report 
document type(s) for fixed price line items for services.) 


(iii) For customary progress payments based on costs incurred, submit a progress payment 
request. 


(iv) For performance-based payments, submit a performance based payment request. 
(v) For commercial financing, submit a commercial financing request. 


(2) Fast Pay requests are only permitted when Federal Acquisition Regulation (FAR) 52.213-1 is 
included in the contract. 


[Note: The Contractor may use a WAWF “combo” document type to create some combinations 
of invoice and receiving report in one step. ] 


(3) Document routing. The Contractor shall use the information in the Routing Data Table below 
only to fill in applicable fields in WAWF when creating payment requests and receiving reports 
in the system. 


Routing Data Table 


Field Name in WAWF Data to be entered in WAWF 
Pay Official DoDAAC HT0010 
Issue By DoDAAC HT9402 
Admin DoDAAC HT9402 
Inspect By DoDAAC Not Applicable 
Ship To Code Not Applicable 
Ship From Code Not Applicable 
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Mark For Code Not Applicable 
Service Approver (DOoDAAC) HT0075 
Service Acceptor (DoDAAC) HT0075 
Accept at Other DODAAC Not Applicable 
LPO DoDAAC Not Applicable 
DCAA Auditor DoDAAC Not Applicable 


(*Contracting Officer: Insert applicable DoDAAC information. If multiple ship 
to/acceptance locations apply, insert “See Schedule” or “Not applicable.’’) 


(**Contracting Officer: If the contract provides for progress payments or 
performance-based payments, insert the DoDAAC for the contract administration 
office assigned the functions under FAR 42.302(a)(13).) 


(4) Payment request. The Contractor shall ensure a payment request includes 
documentation appropriate to the type of payment request in accordance with the 
payment clause, contract financing clause, or Federal Acquisition Regulation 52.216- 
7, Allowable Cost and Payment, as applicable. 


(5) Receiving report. The Contractor shall ensure a receiving report meets the 
requirements of DFARS Appendix F. 


(g) WAWF point of contact. 


(1) The Contractor may obtain clarification regarding invoicing in WAWF from the 
following contracting activity’s WAWF point of contact. 


(Contracting Officer: Insert applicable information or “Not applicable.”) 
(2) Contact the WAWF helpdesk at 866-618-5988, if assistance is needed. 
(End of clause) 
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G.1.2. Contracting Officer’s Representative. The Contracting Officer will designate a 
Contracting Officer’s Representative (COR) in writing. The Contractor will be provided a 
copy of COR appointment. The written appointment will delineate the scope of authority of 
the COR. 


G.2. Billing Instructions. 
G.2.1. Electronic Payment Support & Documentation for WAWF. 


G.2.1.1. Payment support. Contractors are required to submit their “payment request and 
receiving report” electronically utilizing the WAWF application. In conjunction with the 
WAWE application, the Contractor must continue to submit their payment request and 
backup documents to the COR. This will ensure the continuity of payments. 


G.2.1.2. Credit Invoices. WAWF is not able to process any credit invoices and therefore 
credit invoices, these must be submitted directly to the COR. 


G.2.1.3. Procedure if WAWFE is unavailable. When instructed by the Contracting Officer 
that the WAWFE system is not operating normally, the Contractor may submit their invoices 
directly to the Contracting Officer and the COR. E-mail invoice(s) that are not submitted thru 
WAWF must clearly state in subject line ‘WAWFE not used’. The e-mail receipt date shall be 
used as the invoice receipt date, the Government will work with the contractor to get the 
Receiving Report signatures necessary for payment. 


G.2.2. Instructions to Paying Office. The paying office will follow paying 
instructions included in any contract modification. 


G.2.2.1. Revisions to payment instructions may be made as circumstances require. 


Revisions may be accomplished by correspondence between the contracting office and the 
paying office. 


(End of Section G) 
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H — Special Contract Requirements 
H.1. Clauses. 


DFARS 252.203-7000, Requirements Relating to Compensation of Former DoD Officials (SEP 
2011) 


H.2. Organizational Conflicts of Interest. 


DHA.H.1 — DISCLOSURE OF ORGANIZATIONAL CONFLICTS OF INTEREST AFTER 
CONTRACT AWARD 


(a) If the Contractor identifies an actual or potential Organizational Conflict of Interest 
(OCI) that has not already been adequately disclosed and resolved (or waived in 
accordance with FAR 9.503), the Contractor shall make a prompt and full disclosure in 
writing to the Contracting Officer. This disclosure shall include a description of the OCI 
and the action(s) the Contractor has taken or proposes to take in order to resolve the 
conflict. The Contractor may also identify actions the Government may take to address or 
resolve the OCI. 


(b) Ifan OCI mitigation plan is involved in the resolution of the OCI and the contract does 
not already include the clause at DHA.H.2 entitled “Mitigation of Organizational Conflicts 
of Interest,” then clause DHA.H.2 shall be incorporated into the contract. This reporting 
requirement also includes subcontractors’ actual or potential organizational conflicts of 
interest not adequately disclosed and resolved prior to award. 


(c) Breach. Any breach of the imposed restrictions or any nondisclosure or 
misrepresentation of any relevant facts required regarding organizational conflicts of 
interests to be disclosed may result in termination of this contract for default or other 
remedies as may be available under law or regulation. 


(d) Subcontracts. The Contractor shall include the substance of this clause, including this 
paragraph (d), in all subcontracts. The terms “Contractor” and “Contracting Officer” shall 


be appropriately modified to reflect the change in parties and to preserve the Government’s 
rights. 


(End of Clause) 


(End of Section H) 
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SECTION I - Contract Clauses: 
I.1. Clauses Incorporated by Reference. 
52.212-4 Contract Terms and Conditions-Commercial Items (DEC 2022) 
1.2. Addendum to 52.212-4 
252.201-7000 Contracting Officer’s Representative (DEC 1991) 
52.203-3 Gratuities (APR 1984) 
252.203-7002 Requirement to Inform Employees of Whistleblower Rights (DEC 
2022) 


252.203-7003 Agency Office of the Inspector General (AUG 2019) 

52.204-9 Personal Identity Verification of Contractor Personnel (JAN 2011) 

52.204-19 Incorporation by Reference of Representations and Certifications (DEC 2014) 
52.204-21 Basic Safeguarding of Covered Contractor Information Systems (NOV 2021) 


52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance 
Services or Equipment (NOV 2021) 


252.204-7003 Control of Government Personnel Work Product (APR 1992) 
252.204-7015 Notice of Authorized Disclosure of Information for Litigation Support (JAN 2023) 


252.209-7004 Subcontracting with Firms that Are Owned or Controlled by the Government of a 
Country that Is a State Sponsor of Terrorism (DEC 2022) 


252.211-7007 Reporting of Government-Furnished Property (MAR 2022) 
52.225-13 Restrictions on Certain Foreign Purchases (FEB 2021) 
252.225-7012 Preference for Certain Domestic Commodities (APR 2022) 
252.225-7048 Export-Controlled Items (JUN 2013) 


252.226-7001 Utilization of Indian Organizations, Indian-Owned Economic Enterprises, and 
Native Hawaiian Small Business Concerns (JAN 2023) 


52.227-14 Rights in Data General Alternate IV (DEC 2007) 
52.232-39 Unenforceability of Unauthorized Obligations (JUN 2013) 
52.232-40 Providing Accelerated Payments to Small Business Subcontractors (MAR 2023) 


252.232-7003 Electronic Submission of Payment Requests and Receiving Requests and 
Receiving Reports (DEC 2018) 
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252.232-7010 Levies on Contract Payments (DEC 2006) 
252.239-7018 Supply Chain Risk (DEC 2022) 


252.243-7001 Pricing of Contract Modifications (DEC 1991) 
252.243-7002 Requests for Equitable Adjustment (DEC 2022) 


252.244-7000 Subcontracts for Commercial Products or Commercial Services (JAN 2023) 
52.245-1 Government Property (SEP 2021) 
1.3. Clauses Incorporated by Full Text. 


52.212-5 -- Contract Terms and Conditions Required to Implement Statutes or Executive Orders 
-- Commercial Products and Commercial Services (DEC 2022) 


(a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, 
which are incorporated in this contract by reference, to implement provisions of law or Executive orders 
applicable to acquisitions of commercial products and commercial services: 


(1) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or 
Statements (JAN 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing 
Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts 
(and as extended in continuing resolutions)). 


(2) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or 
Provided by Kaspersky Lab and Other Covered Entities (NOV 2021) (Section 1634 of Pub. L. 115-91). 


(3) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video 
Surveillance Services or Equipment. (Nov 2021) (Section 889(a)(1)(A) of Pub. L. 115-232). 


(4) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (NOV 2015). 
(5) 52.232-40, Providing Accelerated Payments to Small Business Subcontractors (MAR 2023) ( 31 U.S.C. 
3903 and 10 U.S.C. 3801). 


(6) 52.233-3, Protest After Award (AUG 1996) ( 31 U.S.C. 3553). 


(7) 52.233-4, Applicable Law for Breach of Contract Claim (OCT 2004) (Public Laws 108-77 
and 108-78 ( 19 U.S.C. 3805 note)). 


(b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting 
Officer has indicated as being incorporated in this contract by reference to implement provisions of law or 
Executive orders applicable to acquisitions of commercial products and commercial services: 


X (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (JUN 
2020), with Alternate I (NOV 2021) ( 41 U.S.C. 4704 and 10 U.S.C. 4655). 
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X (2) 52.203-13, Contractor Code of Business Ethics and Conduct (NOV 
2021) ( 41 U.S.C. 3509)). 


— (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment 
Act of 2009 (JUN 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American 
Recovery and Reinvestment Act of 2009.) 


_X (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract 
Awards (JUN 2020) (Pub. L. 109-282) ( 31 U.S.C. 6101 note). 


— (5) [Reserved]. 


— (6) 52.204-14, Service Contract Reporting Requirements (OcT 2016) (Pub. L. 111-117, 
section 743 of Div. C). 


(7) 52.204-15, Service Contract Reporting Requirements for Indefinite-Delivery 
Contracts (OCT 2016) (Pub. L. 111-117, section 743 of Div. C). 


__ (8) 52.204-27, Prohibition on a ByteDance Covered Application (JUN 2023) (Section 102 of 
Division R of Pub. L. 117-328). 


X (9) 52.209-6, Protecting the Government’s Interest When Subcontracting with 
Contractors Debarred, Suspended, or Proposed for Debarment. (NOV 21) ( 31 U.S.C. 6101 note). 


(10) 52.209-9, Updates of Publicly Available Information Regarding Responsibility 
Matters (OcT 2018) ( 41 U.S.C. 2313). 


__ (11) [Reserved]. 


(12) 52.219-3, Notice of HUBZone Set-Aside or Sole-Source Award (OCT 2022) 
( 15 U.S.C. 657a). 


__ (13) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business 
Concerns (OCT 2022) (if the offeror elects to waive the preference, it shall so indicate in its offer) 


( 15 U.S.C. 657a). 


__ (14) [Reserved] 


__ (15) (i) 52.219-6, Notice of Total Small Business Set-Aside (Nov 2020) ( 15 U.S.C. 644). 
__ (ai) Alternate I (MAR 2020) of 52.219-6. 
— (16) (i) 52.219-7, Notice of Partial Small Business Set-Aside (NOV 2020) ( 15 U.S.C. 644). 
__ (ii) Alternate I (MAR 2020) of 52.219-7. 
__ (17) 52.219-8, Utilization of Small Business Concerns (SEP 2023) ( 15 U.S.C. 637(d)(2) and 
(3). 
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— (18) (i) 52.219-9, Small Business Subcontracting Plan (SEP 2023) ( 15 U.S.C. 637(d)(4)). 
__ (ii) Alternate I (Nov 2016) of 52.219-9. 
__ (iii) Alternate I (Nov 2016) of 52.219-9. 
_ (iv) Alternate III (JUN 2020) of 52.219-9. 
— (v) Alternate IV (SEP 2023) of 52.219-9. 
— (19) (i) 52.219-13, Notice of Set-Aside of Orders (MAR 2020) ( 15 U.S.C. 644(1)). 
__ (ii) Alternate I (MAR 2020) of 52.219-13. 


(20) 52.219-14, Limitations on Subcontracting (OCT 2022) ( 15 U.S.C. 637s). 


(21) 52.219-16, Liquidated Damages—Subcontracting Plan (SEP 2021) 
(15 U.S.C. 637(d)(4)(F)()). 


__ (22) 52.219-27, Notice of Service-Disabled Veteran-Owned Small Business Set-Aside (OCT 
2022) ( 15 U.S.C. 657f). 


__ (23) (i) 52.219-28, Post Award Small Business Program Rerepresentation (SEP 
2023)( 15 U.S.C. 632(a)(2)). 


__ (ii) Alternate I (MAR 2020) of 52.219-28. 


(24) 52.219-29, Notice of Set-Aside for, or Sole-Source Award to, Economically 
Disadvantaged Women-Owned Small Business Concerns (OCT 2022) ( 15 U.S.C. 637(m)). 


(25) 52.219-30, Notice of Set-Aside for, or Sole-Source Award to, Women-Owned Small 
Business Concerns Eligible Under the Women-Owned Small Business Program (OCT 2022) 
(15 U.S.C. 637(m)). 


(26) 52.219-32, Orders Issued Directly Under Small Business Reserves (MAR 
2020) ( 15 U.S.C. 644(r)). 


(27) 52.219-33, Nonmanufacturer Rule (SEP 2021) ( 15U.S.C. 637(a)(17)). 


X (28) 52.222-3, Convict Labor (JUN 2003) (E.0.11755). 


(29) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (DEC 
2022) (E.0.13126). 


X (30) 52.222-21, Prohibition of Segregated Facilities (APR 2015). 


X (31) (i) 52.222-26, Equal Opportunity (SEP 2016) (E.0.11246). 


DHA Readiness Analytic Support — Cost Modeling 
HT9402-23-C-0010 Section I 


__ (ii) Alternate I (FEB 1999) of 52.222-26. 
X (32) (i) 52.222-35, Equal Opportunity for Veterans (JUN 2020) ( 38 U.S.C. 4212). 
__ (ii) Alternate I (JUL 2014) of 52.222-35. 


X (33) (i) 52.222-36, Equal Opportunity for Workers with Disabilities (JUN 
2020) ( 29 U.S.C. 793). 


__ (ii) Alternate I (JUL 2014) of 52.222-36. 
X (34) 52.222-37, Employment Reports on Veterans (JUN 2020) (38 U.S.C. 4212). 


X (35) 52.222-40, Notification of Employee Rights Under the National Labor Relations 
Act (DEC 2010) (E.O. 13496). 


X (36) (i) 52.222-50, Combating Trafficking in Persons (Nov 2021) 
(22 U.S.C. chapter 78 and E.O. 13627). 


__ (ii) Alternate I (MAR 2015) of 52.222-50 ( 22 U.S.C. chapter 78 and E.O. 13627). 


— (37) 52.222-54, Employment Eligibility Verification (MAY 2022) (Executive Order 12989). 
(Not applicable to the acquisition of commercially available off-the-shelf items or certain other types 
of commercial products or commercial services as prescribed in FAR 22.1803.) 


__ (38) G) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA— 


Designated Items (May 2008) ( 42 U.S.C. 6962(c)(3)(A)(ii)). (Not applicable to the acquisition of 
commercially available off-the-shelf items.) 


__ (ii) Alternate I (MAY 2008) of 52.223-9 ( 42 U.S.C. 6962(i)(2)(C)). (Not applicable to 
the acquisition of commercially available off-the-shelf items.) 


(39) 52.223-11, Ozone-Depleting Substances and High Global Warming Potential 
Hydrofluorocarbons (Jun 2016) (E.O. 13693). 


__ (40) 52.223-12, Maintenance, Service, Repair, or Disposal of Refrigeration Equipment and 
Air Conditioners (JUN 2016) (E.O. 13693). 


__ (41) (i) 52.223-13, Acquisition of EPEAT®-Registered Imaging Equipment (JUN 
2014) (E.O.s 13423 and 13514). 


__ (ii) Alternate I (OcT 2015) of 52.223-13. 


__ (42) (i) 52.223-14, Acquisition of EPEAT®-Registered Televisions (JUN 2014) (E.O.s 13423 
and 13514). 


__ (ii) Alternate I (Jun2014) of 52.223-14. 
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__ (43) 52.223-15, Energy Efficiency in Energy- 
Consuming Products (MAY 2020) ( 42 U.S.C. 8259b). 


__ (44) (i) 52.223-16, Acquisition of EPEAT®-Registered Personal Computer Products (OCT 
2015) (E.O.s 13423 and 13514). 


__ (ii) Alternate I (JUN 2014) of 52.223-16. 


X (45) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While 
Driving (JUN 2020) (E.O. 13513). 


(46) 52.223-20, Aerosols (JUN 2016) (E.O. 13693). 


(47) 52.223-21, Foams (Jun2016) (E.O. 13693). 


X (48) (i) 52.224-3 Privacy Training (JAN 2017) (5 U.S.C. 552 a). 
__ (ii) Alternate I (JAN 2017) of 52.224-3. 
— (49) (i) 52.225-1, Buy American-Supplies (OCT 2022) ( 41 U.S.C. chapter 83). 
__ (ii) Alternate I (OCT 2022) of 52.225-1. 
— (50) (i) 52.225-3, Buy American-Free Trade Agreements-Israeli Trade Act (DEC 2022) ( 19_ 
U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, 19 U.S.C. chapter 
29 (sections 4501-4732), Public Law 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 
109-283, 110-138, 112-41, 112-42, and 112-43. 
__ (ii) Alternate I [Reserved]. 
__ (iti) Alternate II (DEC 2022) of 52.225-3. 
__ (iv) Alternate III (JAN 2021) of 52.225-3. 
___ (v) Alternate IV (Oct 2022) of 52.225-3. 


— (51) 52.225-5, Trade Agreements (DEC 2022) ( 19 U.S.C. 2501, et 
seq., 19 U.S.C. 3301 note). 


X (52) 52.225-13, Restrictions on Certain Foreign Purchases (FEB 2021) (E.O.’s, 
proclamations, and statutes administered by the Office of Foreign Assets Control of the 
Department of the Treasury). 


(53) 52.225-26, Contractors Performing Private Security Functions Outside the United 
States (Oct 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 
2008; 10 U.S.C. Subtitle A, Part V, Subpart G Note). 
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— (54) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (Nov 2007) 
(42 U.S.C. 5150). 


— (55) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (Nov 
2007) ( 42 U.S.C. 5150). 


(56) 52.229-12, Tax on Certain Foreign Procurements (FEB 2021). 


(57) 52.232-29, Terms for Financing of Purchases of Commercial Products and Commercial 
Services (NOV 2021) ( 41 U.S.C. 4505, 10 U.S.C. 3805). 


(58) 52.232-30, Installment Payments for Commercial Products and Commercial 
Services (Nov 2021) ( 41 U.S.C. 4505, 10 U.S.C. 3805). 


X (59) 52.232-33, Payment by Electronic Funds Transfer-System for Award 
Management (OCT 2018) ( 31 U.S.C. 3332). 


(60) 52.232-34, Payment by Electronic Funds Transfer-Other than System for Award 
Management (Jul 2013) ( 31 U.S.C. 3332). 


(61) 52.232-36, Payment by Third Party (MAY 2014) ( 31 U.S.C. 3332). 


(62) 52.239-1, Privacy or Security Safeguards (AUG 1996) ( 5 U.S.C. 552a). 


(63) 52.242-5, Payments to Small Business Subcontractors (JAN 
2017) (15 U.S.C. 637(d)(13)). 


__ (64) (i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (NOV 
2021) ( 46 U.S.C. 55305 and 10 U.S.C. 2631). 


__ (ii) Alternate I (APR 2003) of 52.247-64. 
__ (iti) Alternate I (Nov 2021) of 52.247-64. 


(c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial 


services, that the Contracting Officer has indicated as being incorporated in this contract by reference to 
implement provisions of law or Executive orders applicable to acquisitions of commercial 
products and commercial services: 


X (1) 52.222-41, Service Contract Labor Standards (AUG 2018) ( 41 U.S.C. chapter 67). 


(2) 52.222-42, Statement of Equivalent Rates for Federal Hires (MAY 2014) 


(29 U.S.C. 206 and 41 U.S.C. chapter 67). 


__ (3) 52.222-43, Fair Labor Standards Act and Service Contract Labor Standards-Price 


Adjustment (Multiple Year and Option Contracts) (AUG 2018) ( 29 U.S.C. 206 and 41 U.S.C. chapter 67). 
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__ (4) 52.222-44, Fair Labor Standards Act and Service Contract Labor Standards-Price 
Adjustment (May 2014) ( 29U.S.C.206 and 41 U.S.C. chapter 67). 


— (5) 52.222-51, Exemption from Application of the Service Contract Labor Standards to 
Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) 


(41 U.S.C. chapter 67). 


__ (6) 52.222-53, Exemption from Application of the Service Contract Labor Standards to 
Contracts for Certain Services-Requirements (MAY 2014) ( 41 U.S.C. chapter 67). 


X (7) 52.222-55, Minimum Wages for Contractor Workers Under Executive Order 
14026 (JAN 2022). 


X (8) 52.222-62, Paid Sick Leave Under Executive Order 13706 (JAN 2022) (E.O. 13706). 


(9) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (Jun 2020) 
(42 U.S.C. 1792). 


(d) Comptroller General Examination of Record. The Contractor shall comply with the provisions of 
this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified 
acquisition threshold, as defined in FAR 2.101, on the date of award of this contract, and does not contain 
the clause at 52.215-2, Audit and Records-Negotiation. 


(1) The Comptroller General of the United States, or an authorized representative of the 
Comptroller General, shall have access to and right to examine any of the Contractor’s directly pertinent 
records involving transactions related to this contract. 


(2) The Contractor shall make available at its offices at all reasonable times the records, materials, 
and other evidence for examination, audit, or reproduction, until 3 years after final payment under this 
contract or for any shorter period specified in FAR subpart 4.7, Contractor Records Retention, of the other 
clauses of this contract. If this contract is completely or partially terminated, the records relating to the 
work terminated shall be made available for 3 years after any resulting final termination settlement. 
Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising 
under or relating to this contract shall be made available until such appeals, litigation, or claims are finally 
resolved. 


(3) As used in this clause, records include books, documents, accounting procedures and practices, 
and other data, regardless of type and regardless of form. This does not require the Contractor to create or 
maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to 
a provision of law. 


(e) 


(1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this 
clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph 
(e)(1), in a subcontract for commercial products or commercial services. Unless otherwise indicated below, 
the extent of the flow down shall be as required by the clause- 
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(i) 52.203-13, Contractor Code of Business Ethics and Conduct (Nov 2021) (41 U.S.C. 3509). 


(ii) 52.203-19, Prohibition on Requiring Certain Internal Confidentiality Agreements or 
Statements (Jan 2017) (section 743 of Division E, Title VII, of the Consolidated and Further Continuing 
Appropriations Act, 2015 (Pub. L. 113-235) and its successor provisions in subsequent appropriations acts 
(and as extended in continuing resolutions)). 


(iii) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or 
Provided by Kaspersky Lab and Other Covered Entities (NOV 2021) (Section 1634 of Pub. L. 115-91). 


(iv) 52.204-25, Prohibition on Contracting for Certain Telecommunications and Video 
Surveillance Services or Equipment. (Nov 2021) (Section 889(a)(1)(A) of Pub. L. 115-232). 


(v) 52.204-27, Prohibition on a ByteDance Covered Application (JUN 2023) (Section 102 of 
Division R of Pub. L. 117-328). 


(vi) 52.219-8, Utilization of Small Business Concerns (SEP 2023) ( 15 U.S.C. 637(d)(2) and 
(3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except 
subcontracts to small business concerns) exceeds the applicable threshold specified in FAR 19.702(a) on 
the date of subcontract award, the subcontractor must include 52.219-8 in lower tier subcontracts 
that offer subcontracting opportunities. 


(vii) 52.222-21, Prohibition of Segregated Facilities (APR 2015). 


(viii) 52.222-26, Equal Opportunity (SEP 2015) (E.0.11246). 


(ix) 52.222-35, Equal Opportunity for Veterans (JUN 2020) ( 38 U.S.C. 4212). 
(x) 52.222-36, Equal Opportunity for Workers with Disabilities (JUN 2020) (29 U.S.C. 793). 
(xi) 52.222-37, Employment Reports on Veterans (JUN 2020) ( 38 U.S.C. 4212). 


(xii) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (DEC 
2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40. 


(xiii) 52.222-41, Service Contract Labor Standards (AUG 2018) ( 41 U.S.C. chapter 67). 


(xiv) (A) 52.222-50, Combating Trafficking in Persons (NOV 2021) ( 22 U.S.C. chapter 78 and 
E.O 13627). 


(B) Alternate I (MAR 2015) of 52.222-50 ( 22 U.S.C. chapter 78 and E.O. 13627). 


(xv) 52.222-51, Exemption from Application of the Service Contract Labor Standards to 
Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (May 2014) 


(41 U.S.C. chapter 67). 


(xvi) 52.222-53, Exemption from Application of the Service Contract Labor Standards to 
Contracts for Certain Services-Requirements (MAY 2014) ( 41 U.S.C. chapter 67). 
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(xvii) 52.222-54, Employment Eligibility Verification (MAY 2022) (E.O. 12989). 


(xviii) 52.222-55, Minimum Wages for Contractor Workers Under Executive Order 14026 (JAN 
2022). 


(xix) 52.222-62, Paid Sick Leave Under Executive Order 13706 (JAN 2022) (E.O. 13706). 
(xx)(Xx) 
(A) 52.224-3, Privacy Training (Jan 2017) (5 U.S.C. 552a). 
(B) Alternate I (JAN 2017) of 52.224-3. 
(xx1) 52.225-26, Contractors Performing Private Security Functions Outside the United 
States (OCT 2016) (Section 862, as amended, of the National Defense Authorization Act for Fiscal Year 


2008; 10 U.S.C. Subtitle A, Part V, Subpart G Note). 


(xxii) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (JUN 
2020) ( 42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6. 


(xxiii) 52.232-40, Providing Accelerated Payments to Small Business Subcontractors (Mar 
2023) ( 31 U.S.C. 3903 and 10 U.S.C. 3801). Flow down required in accordance with paragraph (c) 
of 52.232-40. 


(xxiv) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (NOV 
2021) ( 46 U.S.C. 55305 and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of 
FAR clause 52.247-64. 


(2) While not required, the Contractor may include in its subcontracts for commercial 
products and commercial services a minimal number of additional clauses necessary to satisfy its 
contractual obligations. 


(End of clause) 


52.252-2 Clauses Incorporated by Reference (FEB 1998) 


This contract incorporates one or more clauses by reference, with the same force and effect as if 
they were given in full text. Upon request, the Contracting Officer will make their full text 
available. Also, the full text of a clause may be accessed electronically at this/these address(es): 


http://www.acquisition. gov/far/ 
(End of clause) 


52.252-6 Authorized Deviations in Clauses (NOV 2020) 


(a) The use in this solicitation or contract of any Federal Acquisition Regulation (48 CFR 
Chapter 1) clause with an authorized deviation is indicated by the addition of "(DEVIATION)" 
after the date of the clause. 
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(b) The use in this solicitation or contract of any Defense Acquisition Regulation Supplement (48 
CFR Chapter 2) clause with an authorized deviation is indicated by the addition of 
"(DEVIATION)" after the name of the regulation. 


(End of clause) 
252.204-7012 Safeguarding Covered Defense Information & Cyber Incident Reporting (JAN 2023) 


Adequate security” means protective measures that are commensurate with the consequences and 
probability of loss, misuse, or unauthorized access to, or modification of information. 


“Compromise” means disclosure of information to unauthorized persons, or a violation of the security 
policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, 
or loss of an object, or the copying of information to unauthorized media may have occurred. 


“Contractor attributional/proprietary information” means information that identifies the contractor(s), 
whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) 
(e.g., program description, facility locations), personally identifiable information, as well as trade secrets, 
commercial or financial information, or other commercially sensitive information that is not customarily 
shared outside of the company. 


“Controlled technical information” means technical information with military or space application that is 
subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, 
or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution 
statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on 
Technical Documents. The term does not include information that is lawfully publicly available without 
restrictions. 


“Covered contractor information system” means an unclassified information system that is owned, or 
operated by or for, a contractor and that processes, stores, or transmits covered defense information. 


“Covered defense information” means unclassified controlled technical information or other information, 
as described in the Controlled Unclassified Information (CUI) Registry at 

http://www.archives. gov/cui/registry/category-list.html, that requires safeguarding or dissemination 
controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is— 


(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the 
contractor by or on behalf of DoD in support of the performance of the contract; or 


(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in 
support of the performance of the contract. 


“Cyber incident” means actions taken through the use of computer networks that result in a compromise or 
an actual or potentially adverse effect on an information system and/or the information residing therein. 


“Forensic analysis” means the practice of gathering, retaining, and analyzing computer-related data for 
investigative purposes in a manner that maintains the integrity of the data. 
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“Information system” means a discrete set of information resources organized for the collection, 
processing, maintenance, use, sharing, dissemination, or disposition of information. 


“Malicious software” means computer software or firmware intended to perform an unauthorized process 
that will have adverse impact on the confidentiality, integrity, or availability of an information system. This 
definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as 
spyware and some forms of adware. 


“Media” means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical 
disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense 
information is recorded, stored, or printed within a covered contractor information system. 


““Operationally critical support’’ means supplies or services designated by the Government as critical for 
airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, 
deployment, or sustainment of the Armed Forces in a contingency operation. 


“Rapidly report” means within 72 hours of discovery of any cyber incident. 


“Technical information” means technical data or computer software, as those terms are defined in the 
clause at DFARS 252.227-7013 , Rights in Technical Data—Other Than Commercial Products and 
Commercial Services, regardless of whether or not the clause is incorporated in this solicitation or contract. 
Examples of technical information include research and engineering data, engineering drawings, and 
associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, 
catalog-item identifications, data sets, studies and analyses and related information, and computer software 
executable code and source code. 


(b) Adequate security. The Contractor shall provide adequate security on all covered contractor 
information systems. To provide adequate security, the Contractor shall implement, at a minimum, the 
following information security protections: 


(1) For covered contractor information systems that are part of an Information Technology (IT) 
service or system operated on behalf of the Government, the following security requirements apply: 


(i) Cloud computing services shall be subject to the security requirements specified in the 
clause 252.239-7010 , Cloud Computing Services, of this contract. 


(ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the 
security requirements specified elsewhere in this contract. 


(2) For covered contractor information systems that are not part of an IT service or system operated 
on behalf of the Government and therefore are not subject to the security requirement specified at 
paragraph (b)(1) of this clause, the following security requirements apply: 


(i) Except as provided in paragraph (b)(2)(1i) of this clause, the covered contractor information 
system shall be subject to the security requirements in National Institute of Standards and Technology 
(NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal 
Information Systems and Organizations” (available via the internet at 
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http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized 
by the Contracting Officer. 


(1i)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than 
December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the 
DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract 
award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract 
award. 


(B) The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the 
Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security 
requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an 
alternative, but equally effective, security measure that may be implemented in its place. 


(C) If the DoD CIO has previously adjudicated the contractor’s requests indicating that a 
requirement is not applicable or that an alternative security measure is equally effective, a copy of that 
approval shall be provided to the Contracting Officer when requesting its recognition under this contract. 


(D) If the Contractor intends to use an external cloud service provider to store, process, or 
transmit any covered defense information in performance of this contract, the Contractor shall require and 
ensure that the cloud service provider meets security requirements equivalent to those established by the 
Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline 
(https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with 
requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, 
media preservation and protection, access to additional information and equipment necessary for forensic 
analysis, and cyber incident damage assessment. 


(3) Apply other information systems security measures when the Contractor reasonably determines 
that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of 
this clause, may be required to provide adequate security in a dynamic environment or to accommodate 
special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based 
on an assessed risk or vulnerability. These measures may be addressed in a system security plan. 


(c) Cyber incident reporting requirement. 


(1) When the Contractor discovers a cyber incident that affects a covered contractor information 
system or the covered defense information residing therein, or that affects the contractor’s ability to 
perform the requirements of the contract that are designated as operationally critical support and identified 
in the contract, the Contractor shall— 


(i) Conduct a review for evidence of compromise of covered defense information, including, but 
not limited to, identifying compromised computers, servers, specific data, and user accounts. This review 
shall also include analyzing covered contractor information system(s) that were part of the cyber incident, 
as well as other information systems on the Contractor’s network(s), that may have been accessed as a 
result of the incident in order to identify compromised covered defense information, or that affect the 
Contractor’s ability to provide operationally critical support; and 


(11) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil. 
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(2) Cyber incident report. The cyber incident report shall be treated as information created by or for 
DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil. 


(3) Medium assurance certificate requirement.In order to report cyber incidents in accordance with 
this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance 
certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance 
certificate, see https://public.cyber.mil/eca/. 


(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software 
in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center 
(DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the 
malicious software to the Contracting Officer. 


(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the 
Contractor shall preserve and protect images of all known affected information systems identified in 
paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from 
the submission of the cyber incident report to allow DoD to request the media or decline interest. 


(f) Access to additional information or equipment necessary for forensic analysis.Upon request by 
DoD, the Contractor shall provide DoD with access to additional information or equipment that is 
necessary to conduct a forensic analysis. 


(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the 
Contracting Officer will request that the Contractor provide all of the damage assessment information 
gathered in accordance with paragraph (e) of this clause. 


(h) DoD safeguarding and use of contractor attributional/proprietary information. The Government 
shall protect against the unauthorized use or release of information obtained from the contractor (or derived 
from information obtained from the contractor) under this clause that includes contractor 
attributional/proprietary information, including such information submitted in accordance with paragraph 
(c). To the maximum extent practicable, the Contractor shall identify and mark attributional/proprietary 
information. In making an authorized release of such information, the Government will implement 
appropriate procedures to minimize the contractor attributional/proprietary information that is included in 
such authorized release, seeking to include only that information that is necessary for the authorized 
purpose(s) for which the information is being released. 


(i) Use and release of contractor attributional/proprietary information not created by or for 
DoD. Information that is obtained from the contractor (or derived from information obtained from the 
contractor) under this clause that is not created by or for DoD is authorized to be released outside of 
DoD— 


(1) To entities with missions that may be affected by such information; 


(2) To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber 
incidents; 


(3) To Government entities that conduct counterintelligence or law enforcement investigations; 
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(4) For national security purposes, including cyber situational awareness and defense purposes 
(including with Defense Industrial Base (DIB) participants in the program at 32 CFR part 236); or 


(5) To a support services contractor (“recipient”) that is directly supporting Government activities 
under a contract that includes the clause at 252.204-7009 , Limitations on the Use or Disclosure of Third- 
Party Contractor Reported Cyber Incident Information. 


(j) Use and release of contractor attributional/proprietary information created by or for 
DoD. Information that is obtained from the contractor (or derived from information obtained from the 
contractor) under this clause that is created by or for DoD (including the information submitted pursuant to 
paragraph (c) of this clause) is authorized to be used and released outside of DoD for purposes and 
activities authorized by paragraph (i) of this clause, and for any other lawful Government purpose or 
activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Government’s 
use and release of such information. 


(k) The Contractor shall conduct activities under this clause in accordance with applicable laws and 
regulations on the interception, monitoring, access, use, and disclosure of electronic communications and 
data. 


(1) Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting 
required by this clause in no way abrogates the Contractor’s responsibility for other safeguarding or cyber 
incident reporting pertaining to its unclassified information systems as required by other applicable clauses 
of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements. 


(m) Subcontracts. The Contractor shall— 


(1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual 
instruments, for operationally critical support, or for which subcontract performance will involve covered 
defense information, including subcontracts for commercial products or commercial services, without 
alteration, except to identify the parties. The Contractor shall determine if the information required for 
subcontractor performance retains its identity as covered defense information and will require protection 
under this clause, and, if necessary, consult with the Contracting Officer; and 


(2) Require subcontractors to— 


(i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to 
vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with 
paragraph (b)(2)(ii)(B) of this clause; and 


(ii) Provide the incident report number, automatically assigned by DoD, to the prime Contractor 


(or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as 
required in paragraph (c) of this clause. 


(End of clause) 


(End of Section I) 
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SECTION J - List of Documents, Exhibits and Other Attachments 
A. List of Attachments 


None 


(End of Section J) 
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